Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the amendment/remarks filed 11/26/2025. Claims 1, 2, and 4-20 are pending. Claims 1 (software) and 11 (a method) are independent.
Response to Arguments
On page 28 of the remarks, in response to the 112(f) interpretation and 112(b) rejection stating it was “unclear which portions of the specification are intended to [be] read into the claim with these corresponding modules”, Applicant provides the following references:
"integration module" - [23], [25]
"action module" - [25], [39], [46]-[48], [70]
"cyber threat module" - [25], [37]-[38], [42], [49], [51]-[53], [73], [75], [77]
"secure communications module" [24], [30], [32], [35], [41]
"autonomous response module" [24], [32], [39], [46], [48], [59]-[60], [62]- [69]
"email module" [36]-[37], [39]-[40], [44], [56], [60]-[61], [83], [85], [87], [89]- [90]
These modules will be interpreted in correspondence therewith and the 112(b) rejection is withdrawn.
Applicant's arguments filed 11/26/2025 have been fully considered but they are not persuasive.
On page 14 of the response Applicant states that “plug-ins and extensions are not inherently limited to software only implementations”. Applicant then substantiates the argument by referencing ¶¶ 130 and 137 which have a generic expansive definition that “These algorithms can be written in a number of different software programming languages such as Python, C, C++ … Also, an algorithm can be … configured logic gates”. This argument is not persuasive regarding the 112(b) issue raised in claims 3 and 13, and now included in claims 1 and 11.
Claims 1 and 11 (previously 3 and 13) require (a) a plug-in integration for the email client application or (b) a browser extension for integration with a browser. These are software elements; see attached Wikipedia definitions thereof.
However, the claims further state: “when any portions of the integration module, the cyber threat module, and the endpoint agent extension are implemented as software instructions” implying that these elements may be wholly implemented in hardware.
A browser extension and a plugin are not hardware elements, as the terms are known in the art; see attached Wikipedia definitions thereof. Applicant’s template paragraphs 130 and 137 are informative for drafting machine/software-computer-readable-medium claims; however, they do not function to redefine the meaning of known terms of art.
Where applicant acts as his or her own lexicographer to specifically define a term of a claim contrary to its ordinary meaning, the written description must clearly redefine the claim term and set forth the uncommon definition so as to put one reasonably skilled in the art on notice that the applicant intended to so redefine that claim term. Process Control Corp. v. HydReclaim Corp., 190 F.3d 1350, 1357, 52 USPQ2d 1029, 1033 (Fed. Cir. 1999). The terms “plug-in” and “browser extension” in claims 1 and 11 is used by the claim to mean hardware elements while the accepted meaning is software modules. The term is indefinite because the specification does not clearly redefine the term.
Examiner notes that this issue is more significant as Applicant is relying on the implied structure/function of a plug-in or extension to overcome the prior art (see below) while simultaneously asserting that the prior art definition of plug-in and extension are incorrect see attached Wikipedia definitions thereof. Thus, not only is the structure/function required of the claimed plug-in/extension ambiguous, such structure/function is additionally asserted as unique over the art.
On page 19 of the remarks, Applicant discusses the 112(b) rejection of claims 4-9 and 14-19 by stating that “Applicant explains that paragraph 0010 and Figure 2 make clear that the cyber security appliance 260A, 260B, 260C is a component in the cyber defense system.”
However, Examiner respectfully submits that the claims are not directed to a “cyber defense system”. Claims 1 and 11 are directed to “an cyber defense system, comprising: and endpoint agent extension ….” It is not clear if the claimed cyber defense system further comprises a “cyber defense appliance located on the network” in claims 4 and 14. This is because claims 4 and 14 only further state that the “cyber defense system of claim 1, further comprising: a secure communication module in the endpoint agent extension” and is not stated to further comprise the “cyber defense appliance located on the network” itself. The question presented is do the claims require possession/operation of both the “endpoint agent extension” and the “cyber defense appliance located on the network” or just the “endpoint agent extension”. This is important for several limitations and, for example, claim 9 that further defines the “cyber defense appliance located on the network”. If the appliance is within the claimed invention then operation or possession of the “cyber defense appliance located on the network” would be necessary for infringement.
In other words, the claims are ambiguous because on their face they require only the “endpoint agent extension”; and if so, the description of the “cyber defense appliance” would be unclaimed, non-limiting, subject matter.
On pages 46-47 of the response Applicant discusses the art rejections in view of Treat and Call. Examiner agrees that Treat does not disclose a plugin or extension, as previously noted with respect to claim 3.
Applicant notes that “call does not monitor or enforce actions on both inbound emails and outbound emails. Examiner agrees but notes that Treat as previously cited discusses outbound emails. See newly provided reference Yaghmour, US 2006/0123476, detailed below.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 and 11 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 3 and 13 of U.S. Patent No. 11,962,552. Although the claims at issue are not identical, they are not patentably distinct from each other because presently presented claims 1 and 11 are anticipated by the corresponding claims of ‘552.
Presently presented claim
Corresponding anticipatory claim of ‘552
1, 11
3, 13
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 2, and 4-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 13 require: “i) a plug-in integration for the email client application and ii) a browser extension for integration with a browser-based email client application, and where when portions of i) the endpoint agent extension and ii) any modules are implemented in software”. The definition of a plug in or extension is an expansion to software; the implication that the plug-in or extension may not be software is ambiguous as it challenges the meaning of the terms.
See attached Wikipedia definitions.
Dependent claims 2-12 and 14-20 are rejected due to their dependency on claims 1 and 13, respectively.
Claims 4-9 and 14-19 requires: “a cyber security appliance of the cyber defense system”
It is unclear whether the “cyber security appliance is a component of the claimed “cyber defense system, comprising: an endpoint agent” of claims 1 and 11. If the cyber security appliance is not part of the claimed machine/method, then acts attributed to the cyber security appliance are non-limiting, or external to the claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 4-8, 10-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Treat et al., US 2017/0264628 (published 2017), in view of Yaghmour, US 2006/0123476 (published 2006).
As to claims 1, 11, 13, and 20, Treat discloses a software/method comprising:
A cyber defense system:
an endpoint agent extension for email that includes two or more modules
an integration module of the endpoint agent extension configured to integrate the endpoint agent extension (“endpoint agent is configured to monitor a file transfer application executed on the client device, and a system, process, and/or computer program product for automated insider threat prevention” Treat ¶ 40) with an email client application on an endpoint computing device to detect email cyber threats in emails in the email client application as well as regulate outbound emails; and (“a client device can access a service provided by a server via the Internet, such as a web-related service (e.g., web site, cloud-based services, streaming services, or email service such as web-posting applications, email applications, and/or other file transfer related applications” Treat ¶ 74)
an action module of the endpoint agent extension configured to interact with the email client application to direct autonomous actions, by the action module rather than a human taking an action, against at least an outbound email including its attached files and/or linked files under analysis (“assume that Alice typically uses Box and Gmail but does not typically use Yahoo mail or Dropbox, and assume that a behavior profile for Alice is configured to associate Yahoo mail and Dropbox as file transfer activity applications that are commonly used by Alice. In this case, a network device and/or endpoint agent can detect a file transfer activity that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below, it can be determined that Alice is sending a threshold amount of data in a predefined period of time using such a new FT service/application), and the network device and/or endpoint agent can then block/kill that file transfer activity” Treat ¶ 51. also Treat ¶ 41)
when a cyber threat module determines the outbound email including its attached files and/or linked files to be at least one of (a) to be a data exfiltration threat, (“detecting and preventing insider threats, unwanted user behavior and tactics used to exfiltrate protected and sensitive information from the enterprise.” Treat ¶ 53) (b) both malicious and anomalous behavior as compared to a user's modeled email behavior, (“transfer activity that does not match the behavior profile for Alice” Treat ¶ 51), where the autonomous actions, against at least the outbound email and the files, include one or more actions selected from a group consisting of i) logging a user off the email client application, ii) preventing the sending of the outbound email, iii) stripping the attached files and/or disabling the link to the files from the outbound email, and iv) sending a notification to cyber security personnel of an organization regarding the outbound email. (“throttling a connection associated with the anomalous activity, block the connection associated with the anomalous activity, kill a process associated with the anomalous activity, generate an alert based on the anomalous activity, log the anomalous activity, update the behavior profile for the user based on the anomalous activity, or any combination thereof.” Treat ¶ 41. Treat ¶¶ 51 and 91 discussing email examples.)
…
and outbound emails; and (“associate Yahoo mail and Dropbox as file transfer activity applications that are commonly used by Alice…. endpoint agent can detect a file transfer activity that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below, it can be determined that Alice is sending a threshold amount of data in a predefined period of time using such a new FT service/application), and the network device and/or endpoint agent can then block/kill that file transfer activity” Treat ¶ 51. also Treat ¶ 41)
where the integration module, the cyber threat module, and the endpoint agent extension are configured to cooperate with one or more processors and one or more non-transitory computer readable mediums such that when any portions of the integration module, the cyber threat module, and the endpoint agent extension are implemented as software instructions, then the software instructions are configured to be stored in an executable format on the one or more non-transitory computer readable mediums and are configured to be executed by the one or more processors. (“an endpoint agent executed on the laptop computer)” Treat ¶ 52. “Endpoint Security Manager (ESM) 454 (e.g., ESM 454 can be implemented in software and executed on a hardware processor of prevention controller 450 to facilitate deployment and management of the host agents (endpoint security agents) executed on the client devices,” Treat ¶ 78)
Treat does not explicitly disclose:
wherein the endpoint agent extension is implemented as one of i) a plug-in integration for the email client application and ii) a browser extension for integration with a browser-based email client application, where the endpoint agent extension is resident on the endpoint computing device to interface with the email client application resident in that endpoint computing device to perform actions of monitoring and enforcement on both inbound emails
Yaghmour discloses:
wherein the endpoint agent extension is implemented as one of i) a plug-in integration for the email client application (“A sender module 4, such as an email client plug-in, is integrated in the sender station 2 and interfaces with the sender's existing email client application.” Yaghmour ¶ 72. “The recipient module 24 may be an email client plug-in interfacing with the recipient's existing email client application. The recipient module 24, which may be the same plug-in used for contacting the authentication server 8 and getting emails signed as described earlier, is activated when an email is received by the recipient as part of the normal email retrieval.” Yaghmour ¶ 79)
and ii) a browser extension for integration with a browser-based email client application, (alternate embodiment)
where the endpoint agent extension is resident on the endpoint computing device to interface with the email client application resident in that endpoint computing device to perform actions of monitoring and enforcement on both inbound emails (“Using this information, the recipient's software may then choose to either apply filtering to the received message or display messages differently according to the rating of the sender.” Yaghmour ¶ 89) and outbound emails (“The sender module 4 is activated when the sender attempts to send an email that is to be signed to the recipient station 14.” Yaghmour ¶ 72)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Treat with Yaghmour by utilizing the client email plug-in of Yaghmour to perform special processing for sent and received emails in the process of Treat. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Treat with Yaghmour in order to provide an email handling interface that is compatible with existing infrastructure, Yaghmour ¶ 25, such as the email applications of Treat ¶ 4.
As to claims 2 and 12, Treat discloses the software/method of claims 1 and 11 and further discloses:
an attachment analyzer of the endpoint agent extension that is configured to scan a file i) attached to and/or ii) linked to the (“endpoint agent can detect a file transfer activity that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below, it can be determined that Alice is sending a threshold amount of data in a predefined period of time using such a new FT service/application), and the network device and/or endpoint agent can then block/kill that file transfer activity or perform another responsive action based on this example ITP policy” Treat ¶ 51) outbound email that is about to be sent in an outbox, (“insider threat prevention (ITP) policy) caps file transfers to 10 megabytes (MB) within a predefined period of time to an offsite site (e.g., Box, Gmail” Treat ¶ 50) in order to analyze content and meta data of the file via investigation of the file structure, (“in which the content ID component can provide real-time content scanning, such as for monitoring and/or controlling file transfer activities (including data limits on file transfers and/or destination-based restrictions on such file transfers), such as further described below), and/or other information to match signatures (e.g., file-based, protocol-based, and/or other types/forms of signatures for detecting malware or suspicious behavior).” Treat ¶ 59, note Applicant’s specification ¶ 28) a meta data analysis tool, (threshold amount of data Treat ¶ 51) and machine learning analysis (“behavior profile generator 730 can be implemented using various data mining techniques, such as using one or more machine learning techniques, for normal behavior state determination.” Treat ¶ 98) to gather information about the file itself and the content in the file. (see above).
As to claims 4 and 14, Treat discloses the software/method of claims 1 and 11 and further discloses:
a secure communications module (“receive and transmit communications to and from the prevention controller can be encrypted using a standard encryption protocol (e.g., SSL or another standard encryption protocol).” Treat ¶ 94) in the endpoint agent extension configured to securely communicate with one or more modules in a cyber security appliance of the cyber defense system located in a network connected to the endpoint computing device, (“behavior profile generator 730 can be implemented using various data mining techniques, such as using one or more machine learning techniques, for normal behavior state determination.” Treat ¶ 98) where the modules of the endpoint agent extension are configured to receive and factor in, (“endpoint security agent 706 can provide endpoint inputs (e.g., based on monitored endpoint activities on a client device associated with an enterprise network) and execute actions on the endpoint/client device based on the monitored endpoint activities and a policy (e.g., a firewall/ITP policy).” Trat ¶ 90) both knowledge outside an email domain as well as metrics and other information from the email domain, collected by the one or more modules of the cyber defense appliance located on the network, (“endpoint agent can detect a file transfer activity that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below, it can be determined that Alice is sending a threshold amount of data in a predefined period of time using such a new FT service/application), and the network device and/or endpoint agent can then block/kill that file transfer activity or perform another responsive action based on this example ITP policy” Treat ¶ 51) where the modules of the endpoint agent extension also are configured to use the computing power of the one or more modules of the cyber defense appliance for one or more of the machine learning models, where the endpoint agent extension uses both the external computing power and additional knowledge collected outside the email domain (“behavior profile generator 730 can be implemented using various data mining techniques, such as using one or more machine learning techniques, for normal behavior state determination.” Treat ¶ 98)
in order to analyze contextual information about the outbound email under analysis, about user behavior of the user generating the outbound email, and/or about a particular file i) attached to or ii) linked to the outbound email. (“that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below… endpoint agent can then block/kill that file transfer activity” Treat ¶ 51)
As to claims 5 and 15, Treat discloses the software/method of claims 1 and 11 and further discloses:
a secure communications module in the endpoint agent extension configured to securely communicate with one or more modules in a cyber security appliance (“receive and transmit communications to and from the prevention controller can be encrypted using a standard encryption protocol (e.g., SSL or another standard encryption protocol).” Treat ¶ 94) of the cyber defense system located in a network connected to the endpoint computing device in order to receive contextual information (“endpoint security agent 706 can provide endpoint inputs (e.g., based on monitored endpoint activities on a client device associated with an enterprise network) and execute actions on the endpoint/client device based on the monitored endpoint activities and a policy (e.g., a firewall/ITP policy).” Treat ¶ 90) outside an email domain about the outbound email under analysis, (Treat ¶¶ 41 and 51) as well as take instructions or receive additional information from an autonomous response module of the cyber security appliance regarding what autonomous action to take against the outbound email to mitigate a threat posed by the outbound email and its attachments and/or links. (“process the input to make a determination/decision, execute an action/response (e.g., which can utilize a network device/firewall to perform a network action and/or an endpoint security agent to perform an endpoint action, as also shown in FIG. 7)” Treat ¶ 88)
As to claims 6 and 16, Treat discloses the software/method of claims 1 and 11 and further discloses:
where the cyber defense appliance of the cyber threat defense system is located in an IT network, an OT network, a SaaS environment, a cloud network, and/or any combination of these networks, (any network?) to exchange secure communications with the endpoint agent extension (“receive and transmit communications to and from the prevention controller can be encrypted using a standard encryption protocol (e.g., SSL or another standard encryption protocol).” Treat ¶ 94) to provide additional contextual information about user behavior outside the email domain, contextual information about attached files to the email under analysis (“endpoint security agent 706 can provide endpoint inputs (e.g., based on monitored endpoint activities on a client device associated with an enterprise network) and execute actions on the endpoint/client device based on the monitored endpoint activities and a policy (e.g., a firewall/ITP policy).” Treat ¶ 90) to determine whether the outbound email under analysis and its attachments and/or links either i) are unusual or ii) are not unusual in context of a current user's behavior under analysis, to prevent incidents of data loss as well as wrongly addressed recipients. (endpoint action of Treat ¶ 88. “The disclosed techniques can also provide a greater efficiency and control over user file transfer activities for an enterprise. The disclosed techniques can also improve decisions and preventative actions performed in response to network traffic that exceeds a threshold metric (e.g., based on a behavior profile associated with a user). The disclosed techniques can also identify and prevent attackers using compromised credentials to exfiltrate data from an enterprise (e.g., steal data from the enterprise).” Treat ¶ 53)
As to claims 7 and 17, Treat discloses the software/method of claims 1 and 11 and further discloses:
an email module of the cyber security appliance cooperating with the one or more machine learning models in the cyber security appliance to perform machine learning analysis (“a behavior profile generator is provided using prevention controller 450 as shown with behavior profile generator 730 in FIG. 7, using a cloud security service” Treat ¶ 98) on all inbound and outbound email flow for an organization (“(e.g., web site, cloud-based services, streaming services, or email service such as web-posting applications, email applications, and/or other file transfer related applications and/or components of applications/web services that perform such web-posting applications, email applications,” Treat ¶ 74) to develop an awareness of a pattern-of-life for i) each individual user, (“the behavior profile for the user can include a plurality of metrics based on one or more file transfer application activities associated with the user,” Treat ¶ 36)
ii) the organization as a whole, and iii) clustered groups of users the machine learning identifies as being closely associated with a given user,
(“ a static default value can be utilized for thresholds for metrics to provide a baseline user behavior profile. These thresholds and/or metrics can be updated (e.g., trained) based on monitored activities for one or more users (e.g., a specific user and/or a group of users, such as based on job/role of the group of users, such as executive group, engineering group, marketing group, finance group, sales group, legal group, etc.). A” Treat ¶ 46. Also ¶ 101, groups of users training the model.),
where the email module is configured to convey this information to the modules in the endpoint agent extension through the secure communications module. (“to perform an endpoint action, as also shown in FIG. 7)” Treat ¶ 88)
As to claims 8 and 18, Treat discloses the software/method of claims 1 and 11 and further discloses:
where the endpoint agent extension and a cyber security appliance on a network cooperate to track and maintain a dynamic profile modeled for each email user in a domain who compose emails, (“a behavior profile generator is provided using prevention controller 450 as shown with behavior profile generator 730 in FIG. 7, using a cloud security service” Treat ¶ 98)
which is 1) derived from a pattern-of-life for i) a corresponding email user in the email domain, (“the behavior profile for the user can include a plurality of metrics based on one or more file transfer application activities associated with the user,” Treat ¶ 36)
ii) an organization that the individual user of the email domain is a part of, and iii) smaller clustered peer groups who have close associations with a given user on a per user basis, as well as (“a static default value can be utilized for thresholds for metrics to provide a baseline user behavior profile. These thresholds and/or metrics can be updated (e.g., trained) based on monitored activities for one or more users (e.g., a specific user and/or a group of users, such as based on job/role of the group of users, such as executive group, engineering group, marketing group, finance group, sales group, legal group, etc.). A” Treat ¶ 46. Also ¶ 101, groups of users training the model.),
2) factor in network metrics with email domain metrics to make a decision that the behavior is deviating from the pattern-of-life for the email under analysis and any of its files attached or linked, (Treat ¶¶ 41 and 51) where the cyber security appliance is configured to convey this information to the modules in the endpoint agent extension through the secure communications module. (“receive and transmit communications to and from the prevention controller can be encrypted using a standard encryption protocol (e.g., SSL or another standard encryption protocol).” Treat ¶ 94).
As to claim 19, Treat discloses the software/method of claims 1 and 11 and further discloses:
tracking and maintaining a dynamic profile modeled in a user model for each email user in the domain who compose emails, (“the behavior profile for the user can include a plurality of metrics based on one or more file transfer application activities associated with the user,” Treat ¶ 36) as well as cooperate with a model of email and network activities of each peer group in an organization as well as a model of an organization's email activity in general, (“a static default value can be utilized for thresholds for metrics to provide a baseline user behavior profile. These thresholds and/or metrics can be updated (e.g., trained) based on monitored activities for one or more users (e.g., a specific user and/or a group of users, such as based on job/role of the group of users, such as executive group, engineering group, marketing group, finance group, sales group, legal group, etc.). A” Treat ¶ 46. Also ¶ 101, groups of users training the model.) where the inputs from all three of these different modeled insights is factored into the dynamic profile (“These thresholds and/or metrics can be updated (e.g., trained) based on monitored activities for one or more users” Treat ¶ 46) when making a decision whether the outbound email by the user is unusual and triggers a further analysis. (“network device and/or endpoint agent can detect a file transfer activity that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below, it can be determined that Alice is sending a threshold amount of data in a predefined period of time using such a new FT service/application), and the network device and/or endpoint agent can then block/kill that file transfer activity or perform another responsive action based on this example ITP policy” Treat ¶ 51. Behavior of app ID/user ID triggers further analysis of threshold amount of data. Also the notification of ¶ 97)
As to claims 10, Treat discloses the software/method of claims 1 and 11 and further discloses:
where, in addition to directing actions to prevent (a) the data exfiltration threat, (b) the malicious and anomalous behavior threat, and (c) any combination of these two determinations, (Treat ¶¶ 41 and 51 as cited above)
the action module of the endpoint agent extension is further configured to direct the autonomous actions against the outbound email and its files when additional determinations are made including (d) sending a notification to the user on whether they intend to send the outbound email to a deemed errant email recipient address, (“For example, ACME Company can prohibit enterprise users from utilizing example-site.com for any file transfer activities.” Treat ¶ 126. Notification based on recipient, see below.) as well as (e) sending a notification to the user when the email under analysis including any attached or linked files is determined to violate an email policy implemented by an organization that contains the user. (“generate an alert warning the user that such is a disallowed file transfer application/activity).” Treat ¶ 126)
Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Treat et al., US 2017/0264628 (published 2017), in view of Yaghmour, US 2006/0123476 (published 2006), and Jaiswal, US 2015/0143518 (published 2015).
As to claims 9, Treat in view of Yaghmour discloses the software/method of claims 1 and 11 and further discloses:
where an email module in the network cyber security appliance is configured to track and maintain a dynamic profile modeled in a user model for each email user in the domain who compose emails, (“the behavior profile for the user can include a plurality of metrics based on one or more file transfer application activities associated with the user,” Treat ¶ 36) as well as cooperate with a model of email and network activities of each peer group in an organization as well as a model of an organization's email activity in general, (“a static default value can be utilized for thresholds for metrics to provide a baseline user behavior profile. These thresholds and/or metrics can be updated (e.g., trained) based on monitored activities for one or more users (e.g., a specific user and/or a group of users, such as based on job/role of the group of users, such as executive group, engineering group, marketing group, finance group, sales group, legal group, etc.). A” Treat ¶ 46. Also ¶ 101, groups of users training the model.), where the inputs from all three of these different modeled insights is factored into the dynamic profile (“These thresholds and/or metrics can be updated (e.g., trained) based on monitored activities for one or more users” Treat ¶ 46) when making a decision whether the outbound email by the user is unusual and triggers a further analysis, (“network device and/or endpoint agent can detect a file transfer activity that does not match the behavior profile for Alice (e.g., based on APP ID and user ID techniques as described below, it can be determined that Alice is sending a threshold amount of data in a predefined period of time using such a new FT service/application), and the network device and/or endpoint agent can then block/kill that file transfer activity or perform another responsive action based on this example ITP policy” Treat ¶ 51. Behavior of app ID/user ID triggers further analysis of threshold amount of data. Also the notification of ¶ 97) and wherein a secure communications module in the endpoint agent extension is configured to securely receive (“receive and transmit communications to and from the prevention controller can be encrypted using a standard encryption protocol (e.g., SSL or another standard encryption protocol).” Treat ¶ 94)
for each email user in the domain who composes emails, (Treat ¶ 51)…
where the email module is configured to generate the dynamic profiles sent to the secure communications module. (“executed on the prevention controller and/or the cloud security service to generate, train, and update/enhance behavior profiles for automated insider threat prevention,” Treat ¶ 113)
Treat in view of Yaghmour does not disclose:
Receive an instance of a dynamic profile, … as well as a memory to store the instances of dynamic profiles for each of the users on the end point device for quicker processing of each outbound mail under analysis,
Jaiswal discloses:
Receive an instance of a dynamic profile, … as well as a memory to store the instances of dynamic profiles for each of the users on the end point device for quicker processing of each outbound mail under analysis,
(“the training phase is implemented in the structure analyzer 122 on the server computing system 106, as part of the DLP system 108, and the detection phase is implemented in the structure analyzer 122 on the client computing system 102.” Jaiswal ¶ 28. See Jaiswal Figure 3)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have implemented the machine learning trainer on the server side (network device) of Treat and provided the model for endpoint (endpoint agent) to detect threats. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Treat in view of Yaghmour with Jaiswal in order to train the model (Jaiswal ¶ 28) using data from a plurality of entities/endpoints (Jaiswal ¶ 26) and therefore trained on a broader spectrum of training data (e.g. Treat ¶¶ 46 and 101).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Seshandri et al., US 2005/0182938, discloses an email client plugin.
Yen, US 2006/0259558, discloses a plugin program for handling spam emails.
Avritch et al., US 2007/0143407, discloses an email certification service using a plugin.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL W CHAO/ Primary Examiner, Art Unit 2492